Many organisations have felt the face of digital transformation - either from disruptive competitors, or from undergoing, internal and external change themselves. Simon Moffatt MBCS, Director of Product Management at ISV ForgeRock, asks what does that mean? And what are the implications to both digital identity and digital security architectures?

Digital transformation provides many new revenue generating opportunities for many industries and verticals. The banking and financial services industry has seen tremendous change, where high street banking interactions for example, are being migrated to mobile apps on a large scale. Personal, home and car insurance purchases can now be an entirely online experience, with many insurance providers starting to use Internet of Things style capabilities to provide vehicle or home monitoring, in order to reduce their liability and deliver reduced premiums for consumers.

But, as new business opportunities abound, challenges soon follow and the most successful organisations are learning to adapt, both technically and culturally, to this brave new digital world.

Organisational challenges

‘The consumer is always right’. The consumer today, has more information, power and supplier control that at any point in the last 100 years. They are literally one click away from moving to a competitor or filing a complaint - probably via a very public social media outlet. The consumer can also be your biggest sales engine. Through digital word of mouth, recommendation and peer review, a happy customer is a valuable commodity.

But, what is a happy customer and how do you create and keep them? Consumers of digital services have several common requirements: They want personalisation, simplicity and digital empathy.


They want data about them, delivered to them, when they want, on a device of their choice at a time of their choosing. They don’t want to search - they need to be found. This requires the service provider, to capture immediate context surrounding the digital interaction. The digital equivalent of the who, what, why and when?


Ease of use is the holy grail of any digital interaction. The fashion icon Coco Chanel summed this up perfectly: ‘Dress shabbily and they remember the dress; dress impeccably and they remember the woman.’ If the sign-up and sign-in experience of any digital interaction is too cumbersome, complicated and slow, that is exactly what the end user remembers. Not the brilliant service, product or application you are trying to deliver.


The business benefits of transformation are well understood. But equally, digital interactions also require compliance to several new and emerging regulations. The General Data Protection Regulation came into effect in May 2018. This is probably one of the most transformative pieces of data protection regulation in recent times. The GDPR requires numerous steps to both protect and inform the end user, of how their data is being used and why. Full adherence requires an integrated set of services for data, identity and consent management.

Identity management is evolving

A successful digital transformation programme has identity management at its centre. Not just from a consent management perspective, but also from a security and user experience standpoint. How can you deliver an online financial service, create a world class retail experience or provide online government services, without providing sign-up, sign-in and consent management services? This is where digital identity comes in.

Traditional identity and access management was very much focused on employees. When a new employee joined an organisation, they would need to be setup on various different systems in order to do their job. HR and payroll are obvious, but in addition, they would likely need creating in a corporate directory or LDAP, email system and any other core applications such as databases, intranets and mainframes - all with the correct permissions for their job role. Upon termination, their access would need removing and their accounts disabling or deleting. During their working hours, identity management would then be responsible for things like further access requests, single sign on (entering a username and password once and being able to log in seamlessly to multiple systems) as well as handling things like multi-factor authentication for administrators or users with access to high risk systems.

Move forward to 2019 and those use cases are being applied not just to internal employees, but your external consumers too. But, instead of handling this for a magnitude of users in their thousands, a digital consumer facing system, may have to manage end users in their millions - perhaps with several thousand registering at once over busy periods. Logging in from multiple different devices which you, as a service provider, have little control over - the common bring your own device (BYOD) paradigm. What if they want to use their social media account to register to your service and bring their own identity (BYOI)? A digital identity platform needs to be flexible with the ability to handle multiple different authentication and authorisation requirements and integrations.

The requirements for consumer facing identity are not just related to scale. There is a new set of security requirements too.

Security or convenience?

Security has always been at odds, with convenience and simplicity. Security is traditionally seen as restrictive and inhibitive - interrupting the most high risk users with multi-factor authentication, or additional checks in order to reduce risk. The modern consumer of a digital service, demands a seamless and friction free journey. They require one-click registration and a seamless login experience. Entering usernames and complex passwords on mobile phones or tablets is inhibitive. 

Equally, data protection is now seen as a competitive advantage. Data breaches are hitting the headlines daily - and arguably a breach may not have a long-term impact on things like share price - but the short term brand damage, trust and credibility factors are considerable. An end user not only demands their personal data and personal identifiable information is kept secure and confidential, they demand full transparency around data transfers to any third parties too. Is their data encrypted? Are principles such as least privilege used and can access revocation be simply and quickly applied?

Emerging security challenges

The security architecture of a modern enterprise is rapidly changing. In order to deliver a genuinely transformative digital service, new and emerging success criteria are emerging. Digital requires speed, agility and iteration. Taking 12 months to deliver a new mobile app is too long - the competitive advantage can be lost to a lean and mean disruptive competitor.

However, speed often negates the nuances of security. Emerging development patterns, such as delivering applications in small and easily integrated chunks as micro-services is now common. Micro-services promote agile and iterative development cycles, where the time to market is faster and more open to change and iteration. The security of those applications, now moves from protecting one big monolithic ‘castle’, to numerous smaller outbuildings - all needing to communicate seamlessly with one another.

The security pattern becomes less about big barriers and firewalling the ‘bad from the good’, but more about developing multiple fine-grained barriers at every point of the user data journey.

Threats at all levels are now pervasive. Organisations delivering online services, need to be aware not only of malicious activity looking to steal user data but also the increasing cost of bot activity. Fake account registrations can not only degrade a systems performance, but can entirely skew user analytics and insight.

Modern threat intelligence and bot protection systems require signals from multiple different sources, in order to build a multi-layered defence. A user login system is less about authentication, but more user discovery - is this interaction working with a bot or human? Is the human a friend or foe?


Digital transformation is one of the greatest business opportunities of the last 100 years. The opportunities to deliver personalised content, retail and financial services to a loyal customer can generate significant revenue and competitive advantage.

However, that comes at a cost. The cultural and technical changes required to fulfil those opportunities is not trivial. It requires a deep understanding of the end user requirements, without negating the needs of security, privacy and consent management.